@abtnode/router-provider 1.16.38-beta-20250116-083413-dbd33222 → 1.16.38-beta-20250118-033334-2da05ae8

package/lib/nginx/includes/security/crs4/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf

@@ -0,0 +1,417 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+# Skip all rules if RESPONSE_BODY is compressed.
+SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
+    "id:951010,\
+    phase:4,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:951012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+
+#
+# -=[ SQL Error Leakages ]=-
+#
+# Ref: https://github.com/sqlmapproject/sqlmap
+# Ref: https://github.com/Arachni/arachni/tree/master/components/checks/active/sql_injection/regexps
+#
+SecRule RESPONSE_BODY "!@pmFromFile sql-errors.data" \
+    "id:951100,\
+    phase:4,\
+    pass,\
+    t:none,\
+    nolog,\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    skipAfter:END-SQL-ERROR-MATCH-PL1"
+
+SecRule RESPONSE_BODY "@rx (?i:JET Database Engine|Access Database Engine|\[Microsoft\]\[ODBC Microsoft Access Driver\])" \
+    "id:951110,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Microsoft Access SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-msaccess',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+# Regular expression generated from regex-assembly/951120.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 951120
+#
+SecRule RESPONSE_BODY "@rx (?i)\bORA-[0-9][0-9][0-9][0-9][0-9]:|java\.sql\.SQLException|Oracle(?: erro|[^\(\)]{0,20}Drive)r|Warning.{1,10}o(?:ci_.{1,30}|ra_.{1,20})" \
+    "id:951120,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Oracle SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-oracle',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i:DB2 SQL error:|\[IBM\]\[CLI Driver\]\[DB2/6000\]|CLI Driver.*DB2|DB2 SQL error|db2_\w+\()" \
+    "id:951130,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'DB2 SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-db2',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i:\[DM_QUERY_E_SYNTAX\]|has occurred in the vicinity of:)" \
+    "id:951140,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'EMC SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-emc',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i)Dynamic SQL Error" \
+    "id:951150,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'firebird SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-firebird',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i)Exception (?:condition )?\d+\. Transaction rollback\." \
+    "id:951160,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Frontbase SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-frontbase',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i)org\.hsqldb\.jdbc" \
+    "id:951170,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'hsqldb SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-hsqldb',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i:An illegal character has been found in the statement|com\.informix\.jdbc|Exception.*Informix)" \
+    "id:951180,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'informix SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-informix',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i:Warning.*ingres_|Ingres SQLSTATE|Ingres\W.*Driver)" \
+    "id:951190,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'ingres SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-ingres',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i:<b>Warning</b>: ibase_|Unexpected end of command in statement)" \
+    "id:951200,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'interbase SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-interbase',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i:SQL error.*POS[0-9]+.*|Warning.*maxdb.*)" \
+    "id:951210,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'maxDB SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-maxdb',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i)(?:System\.Data\.OleDb\.OleDbException|\[Microsoft\]\[ODBC SQL Server Driver\]|\[Macromedia\]\[SQLServer JDBC Driver\]|\[SqlException|System\.Data\.SqlClient\.SqlException|Unclosed quotation mark after the character string|'80040e14'|mssql_query\(\)|Microsoft OLE DB Provider for ODBC Drivers|Microsoft OLE DB Provider for SQL Server|Incorrect syntax near|Sintaxis incorrecta cerca de|Syntax error in string in query expression|Procedure or function .* expects parameter|Unclosed quotation mark before the character string|Syntax error .* in query expression|Data type mismatch in criteria expression\.|ADODB\.Field \(0x800A0BCD\)|the used select statements have different number of columns|OLE DB.*SQL Server|Warning.*mssql_.*|Driver.*SQL[ _-]*Server|SQL Server.*Driver|SQL Server.*[0-9a-fA-F]{8}|Exception.*\WSystem\.Data\.SqlClient\.|Conversion failed when converting the varchar value .*? to data type int\.)" \
+    "id:951220,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'mssql SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-mssql',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+# Regular expression generated from regex-assembly/951230.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 951230
+#
+SecRule RESPONSE_BODY "@rx (?i)(?:supplied argument is not a valid |SQL syntax.*)MySQL|Column count doesn't match(?: value count at row)?|mysql_fetch_array\(\)|on MySQL result index|You have an error in your SQL syntax(?:;| near)|MyS(?:QL server version for the right syntax to use|qlClient\.)|\[MySQL\]\[ODBC|(?:Table '[^']+' doesn't exis|valid MySQL resul)t|Warning.{1,10}mysql_(?:[\(\)_a-z]{1,26})?|(?:ERROR [0-9]{4} \([0-9a-z]{5}\)|XPATH syntax error):" \
+    "id:951230,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'mysql SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-mysql',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+# Regular expression generated from regex-assembly/951240.ra.
+# To update the regular expression run the following shell script
+# (consult https://coreruleset.org/docs/development/regex_assembly/ for details):
+#   crs-toolchain regex update 951240
+#
+SecRule RESPONSE_BODY "@rx (?i)P(?:ostgreSQL(?: query failed:|.{1,20}ERROR)|G::[a-z]*Error)|(?:pg_(?:query|exec)\(\) \[|org\.postgresql\.util\.PSQLException):|Warning.{1,20}\bpg_.*|valid PostgreSQL result|Npgsql\.|Supplied argument is not a valid PostgreSQL .*? resource|(?:Unable to connect to PostgreSQL serv|invalid input syntax for integ)er" \
+    "id:951240,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'postgres SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-pgsql',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i)(?:Warning.*sqlite_.*|Warning.*SQLite3::|SQLite/JDBCDriver|SQLite\.Exception|System\.Data\.SQLite\.SQLiteException)" \
+    "id:951250,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'sqlite SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-sqlite',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecRule RESPONSE_BODY "@rx (?i)(?:Sybase message:|Warning.{2,20}sybase|Sybase.*Server message.*)" \
+    "id:951260,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Sybase SQL Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-multi',\
+    tag:'platform-sybase',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116/54',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'CRITICAL',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.critical_anomaly_score}',\
+    setvar:'tx.sql_injection_score=+%{tx.critical_anomaly_score}'"
+
+SecMarker "END-SQL-ERROR-MATCH-PL1"
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:951014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:951016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:951018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-RESPONSE-951-DATA-LEAKAGES-SQL"

package/lib/nginx/includes/security/crs4/rules/RESPONSE-952-DATA-LEAKAGES-JAVA.conf

@@ -0,0 +1,108 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+# Skip all rules if RESPONSE_BODY is compressed.
+SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
+    "id:952010,\
+    phase:4,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:952012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+
+#
+# -=[ Java Source Code Leakages ]=-
+#
+SecRule RESPONSE_BODY "@pmFromFile java-code-leakages.data" \
+    "id:952100,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Java Source Code Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-java',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116',\
+    tag:'PCI/6.5.6',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'ERROR',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
+
+#
+# -=[ Java Errors ]=-
+#
+# Ref: https://github.com/andresriancho/w3af/blob/master/w3af/plugins/grep/error_pages.py
+#
+SecRule RESPONSE_BODY "@pmFromFile java-errors.data" \
+    "id:952110,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'Java Errors',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-java',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116',\
+    tag:'PCI/6.5.6',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'ERROR',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:952014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:952016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:952018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-RESPONSE-952-DATA-LEAKAGES-JAVA"

package/lib/nginx/includes/security/crs4/rules/RESPONSE-953-DATA-LEAKAGES-PHP.conf

@@ -0,0 +1,158 @@
+# ------------------------------------------------------------------------
+# OWASP CRS ver.4.9.0
+# Copyright (c) 2006-2020 Trustwave and contributors. All rights reserved.
+# Copyright (c) 2021-2024 CRS project. All rights reserved.
+#
+# The OWASP CRS is distributed under
+# Apache Software License (ASL) version 2
+# Please see the enclosed LICENSE file for full details.
+# ------------------------------------------------------------------------
+
+#
+# -= Paranoia Level 0 (empty) =- (apply unconditionally)
+#
+
+# Skip all rules if RESPONSE_BODY is compressed.
+SecRule RESPONSE_HEADERS:Content-Encoding "@pm gzip compress deflate br zstd" \
+    "id:953010,\
+    phase:4,\
+    pass,\
+    nolog,\
+    tag:'OWASP_CRS',\
+    ver:'OWASP_CRS/4.9.0',\
+    skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953011,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 1" "id:953012,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+#
+# -= Paranoia Level 1 (default) =- (apply only when tx.detection_paranoia_level is sufficiently high: 1 or higher)
+#
+
+#
+# -=[ PHP Error Message Leakage ]=-
+#
+SecRule RESPONSE_BODY "@pmFromFile php-errors.data" \
+    "id:953100,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116',\
+    tag:'PCI/6.5.6',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'ERROR',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
+
+#
+# -=[ PHP source code leakage ]=-
+#
+# Detect some common PHP keywords in output.
+#
+SecRule RESPONSE_BODY "@rx (?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open|call_user_func)|\$_(?:(?:pos|ge)t|session))\b" \
+    "id:953110,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP source code leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116',\
+    tag:'PCI/6.5.6',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'ERROR',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
+
+# Detect the presence of the PHP open tag "<? ", "<?= " or "<?php " in output.
+#
+# To prevent false positives (due to the short "<?" sequences), we also include,
+# the space after it in an attempt to stop alerts in binary output.
+# And we make it case insensitive.
+#
+SecRule RESPONSE_BODY "@rx (?i)<\?(?:=|php)?\s+" \
+    "id:953120,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP source code leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/1',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116',\
+    tag:'PCI/6.5.6',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'ERROR',\
+    setvar:'tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score}'"
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953013,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 2" "id:953014,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+#
+# -= Paranoia Level 2 =- (apply only when tx.detection_paranoia_level is sufficiently high: 2 or higher)
+#
+
+#
+# -=[ PHP Error Message Leakage ]=-
+#
+# This is a stricter sibling of rule 953100.
+# This stricter sibling checks for additional error messages which has a higher chance to appear in common language.
+#
+SecRule RESPONSE_BODY "@pmFromFile php-errors-pl2.data" \
+    "id:953101,\
+    phase:4,\
+    block,\
+    capture,\
+    t:none,\
+    msg:'PHP Information Leakage',\
+    logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}',\
+    tag:'application-multi',\
+    tag:'language-php',\
+    tag:'platform-multi',\
+    tag:'attack-disclosure',\
+    tag:'paranoia-level/2',\
+    tag:'OWASP_CRS',\
+    tag:'capec/1000/118/116',\
+    tag:'PCI/6.5.6',\
+    ver:'OWASP_CRS/4.9.0',\
+    severity:'ERROR',\
+    setvar:'tx.outbound_anomaly_score_pl2=+%{tx.error_anomaly_score}'"
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953015,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 3" "id:953016,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+#
+# -= Paranoia Level 3 =- (apply only when tx.detection_paranoia_level is sufficiently high: 3 or higher)
+#
+
+
+
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953017,phase:3,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+SecRule TX:DETECTION_PARANOIA_LEVEL "@lt 4" "id:953018,phase:4,pass,nolog,tag:'OWASP_CRS',ver:'OWASP_CRS/4.9.0',skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"
+#
+# -= Paranoia Level 4 =- (apply only when tx.detection_paranoia_level is sufficiently high: 4 or higher)
+#
+
+
+
+#
+# -= Paranoia Levels Finished =-
+#
+SecMarker "END-RESPONSE-953-DATA-LEAKAGES-PHP"